Debian 10329 Published by

Debian GNU/Linux has been updated with several security enhancements, including simgear, bind9, pam-u2f, and FlightGear:

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4034-1] simgear security update
[DLA 4035-1] flightgear security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5854-1] bind9 security update
[DSA 5853-1] pam-u2f security update





[SECURITY] [DLA 4034-1] simgear security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4034-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Dr. Tobias Quathamer
January 29, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : simgear
Version : 1:2020.3.6+dfsg-1+deb11u1
CVE ID : CVE-2025-0781

A security vulnerability has been discovered in simgear, a collection of
libraries for constructing simulation and visualization applications
such as FlightGear.

An attacker can bypass the sandboxing of Nasal scripts and arbitrarily
write to any file path that the user has permission to modify at the
operating-system level.

For Debian 11 bullseye, this problem has been fixed in version
1:2020.3.6+dfsg-1+deb11u1.

We recommend that you upgrade your simgear packages.

For the detailed security status of simgear please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/simgear

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5854-1] bind9 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5854-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 29, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bind9
CVE ID : CVE-2024-11187 CVE-2024-12705

Several vulnerabilities were discovered in BIND, a DNS server
implementation, which may result in denial of service.

For the stable distribution (bookworm), these problems have been fixed in
version 1:9.18.33-1~deb12u2.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5853-1] pam-u2f security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5853-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 29, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pam-u2f
CVE ID : CVE-2025-23013

Matthias Gerstner reported that pam-u2f, a PAM module which allows to
use U2F (Universal 2nd Factor) devices in the PAM authentication stack,
does not properly handle PAM_IGNORE return values, allowing to bypass
the second factor or password-less login without inserting the proper
device.

For the stable distribution (bookworm), this problem has been fixed in
version 1.1.0-1.1+deb12u1.

We recommend that you upgrade your pam-u2f packages.

For the detailed security status of pam-u2f please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/pam-u2f

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 4035-1] flightgear security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4035-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Dr. Tobias Quathamer
January 29, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : flightgear
Version : 1:2020.3.6+dfsg-1+deb11u1
CVE ID : CVE-2025-0781

A security vulnerability has been discovered in flightgear, a flight
simulator.

An attacker can bypass the sandboxing of Nasal scripts and arbitrarily
write to any file path that the user has permission to modify at the
operating-system level.

For Debian 11 bullseye, this problem has been fixed in version
1:2020.3.6+dfsg-1+deb11u1.

We recommend that you upgrade your flightgear packages.

For the detailed security status of flightgear please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flightgear

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS